Nethsecurity to Ubiquiti Dream Machine Pro VPN

NethSecurity
,
1

Hi there, I need to setup a VPN between an up-to-date Ubiqiti Dream Machine Pro and an up-to-date Nethsecurity firewall. I’ve been through each of the gui options that I thought may work, but can’t get anywhere. The IPSEC option I thought was the closest, but nothing has worked. Has anyone done this? If so, how did you get it to work?

2

Hi @Socs28

I’m also a Unifi user, some of my clients also use Unifi firewalls. While VPNs for RoadWarriors work fairly easy out of the box, so far I have not been able to get a Unifi Gateway connect site2site with anything else.

Unifi packs all networks and vLANs into a single config, while all others use a single file pro network.
Unifi also doesn’t present much options for any of the three VPNs, WireGuard isn’t even an Option for Site2Site setups… :frowning:

For most of my clients, Site2Site VPN is even more important than RoadWarrior VPN, as some hardly use Roadwarrior VPN, but all use Offsite Backups…

My solution of choice which works:

  • Most of my clients were using OPNsense as a firewall before Uinfi, this is a standalone box firewall.
  • All of my clients use Proxmox as Hypervisor.
  • I either kept the OPNsense box or created a new OPNsense VM.
  • This OPNsense box or VM is logically connected to the LAN, with both LAN and WAN connections.
  • Wireguard and openVPN Site2Site VPNs are forwarded to the OPNsense WAN Port from the Unifi box (Both WG and OpenVPN both use forwardable ports, IPsec doesn’t use ports!).
  • The VPN-Network (Both WG and OpenVPN use one!) is routed from Unifi to the OPNsense LAN Port.

This setup works as before, DNS and DHCP are all handled by OPNsense, so are Site2Site VPNs.

OPNsense is way more powerful than Unifi when it comes to DNS, DHCP, VPN or Firewall options, this way me and my clients get the best of both worlds - using the Unifi Ecosystem for networking and eg Surveillance (Protect), Door-Access (Access) or other services Unifi provides, yet still having all options for critical services like DNS, DHCP, VPN and Firewall.

All this work Rock solid.

→ As such using a Nethsecurity box in place of OPNsense would work 1:1 !!!

Hope this helps!

:slight_smile:

My 2 cents
Andy

4 Likes
3

Thank you, I am going to look at setting up a nethsecurity VM to use for this purpose. Thanks again.

2 Likes
4

Would you please expand a bit this path you abandoned?

5

I had used NS gui for an IPSEC tunnel and tried to match the settings on the Ubiquiti site-to-site IPSEC VPN, but it just didn’t work. I have not found the logging on either device satisfactory to figure out what was off. I’m not sure if there is logging I’m not aware of of the NS device, but the logs in /var/log are lacking for sure.

6

I matched (few years ago) IPSec of NethServer 7 with TPLink, NetGear, Zyxel and Endian Firewall (Firewall distro).
Took really lot of tries (including that passprase donaldduck shoud be typed into NethServer 7 @donaldduck ). Only one more ace in the sleeve: there’s a transmitter and receiver, and AFAIK NethServer 7 could not act as a receiver, had to be the initiator, could not act as responder.

NethServer 7 is not NethSecurity 8 anyway…

Fundamentals are there
https://openwrt.org/docs/guide-user/services/vpn/strongswan/site2site
because OpenWRT is the founding base of NethSec 8, however
the documentation of NethSec 8 about IPSec is scarce
https://docs.nethsecurity.org/en/latest/ipsec_tunnels.html
because takes for granted all the background of IPsec from the syysadin (i know, it’s 30 years old protocol) and does not report at all ANY of the supported cyphers, protocols, options and tweaks.

The other option might be

7

No, this is not true, the key/pass (name may vary) should be typed as is.
[the @ is used for the identifier, but it’s just a convention]

8

Thanks for pointing that out.
When I installed that setups that was specifically reported on documentation (or on interface help) and worked only as reported in my post.
Sorry for the OT